MCPcopy
hub / github.com/caddyserver/caddy / renewCertsForCA

Method renewCertsForCA

modules/caddypki/maintain.go:62–102  ·  view source on GitHub ↗
(ca *CA)

Source from the content-addressed store, hash-verified

60}
61
62func (p *PKI) renewCertsForCA(ca *CA) error {
63 ca.mu.Lock()
64 defer ca.mu.Unlock()
65
66 log := p.log.With(zap.String("ca", ca.ID))
67
68 // only maintain the root if it's not manually provided in the config
69 if ca.Root == nil {
70 if ca.needsRenewal(ca.root) {
71 // TODO: implement root renewal (use same key)
72 log.Warn("root certificate expiring soon (FIXME: ROOT RENEWAL NOT YET IMPLEMENTED)",
73 zap.Duration("time_remaining", time.Until(ca.interChain[0].NotAfter)),
74 )
75 }
76 }
77
78 // only maintain the intermediate if it's not manually provided in the config
79 if ca.Intermediate == nil {
80 if ca.needsRenewal(ca.interChain[0]) {
81 log.Info("intermediate expires soon; renewing",
82 zap.Duration("time_remaining", time.Until(ca.interChain[0].NotAfter)),
83 )
84
85 rootCert, rootKey, err := ca.loadOrGenRoot()
86 if err != nil {
87 return fmt.Errorf("loading root key: %v", err)
88 }
89 interCert, interKey, err := ca.genIntermediate(rootCert, rootKey)
90 if err != nil {
91 return fmt.Errorf("generating new certificate: %v", err)
92 }
93 ca.interChain, ca.interKey = []*x509.Certificate{interCert}, interKey
94
95 log.Info("renewed intermediate",
96 zap.Time("new_expiration", ca.interChain[0].NotAfter),
97 )
98 }
99 }
100
101 return nil
102}
103
104// needsRenewal reports whether the certificate is within its renewal window
105// (i.e. the fraction of lifetime remaining is less than or equal to RenewalWindowRatio).

Callers 2

maintenanceForCAMethod · 0.95
renewCertsMethod · 0.95

Calls 6

needsRenewalMethod · 0.80
DurationMethod · 0.80
loadOrGenRootMethod · 0.80
genIntermediateMethod · 0.80
WithMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected